ZAP Integration with Jenkins on Ubuntu

[Vale Asencio Uribe]

Hi everyone,

I hope you're all doing well :)

I'm trying to connect Jenkins and Owasp Zap in an ubuntu server but I can be able to configure neither of the two parts correctly, so I appreciate if any one can help me out with this.

Thank you very much for reading my post,

regards

Valeria Asencio Uribe

[Simon Bennetts]

Hi Valeria,

Can you let us know what steps you've followed and what problems you are seeing.
Any error messages reported would also be very helpful.

Many thanks,

Simon

[Vale Asencio Uribe]

Hi, thanks for answer me!! 

Well, I followed this video https://www.youtube.com/watch?v=mmHZLSffCUg&t=499s and this thread of Q&A https://groups.google.com/forum/#!topic/zaproxy-jenkins/LJ55DTWeadw since he had the same problems that I have but he made it work, I don't lol.

So, details: This is for my thesis, and one of the task is integrate Jenkins and Zap, both of them has installed on ubuntu server and it dosen't a GUI, so ZAP work in a headless mode. I follow all the documentation of Execute ZAP from Jenkins plugins and all that but still doesn't work. I think because all that is for Windows, I don't know.

My problems is this, in the video (min 8:19) they copy the persisted session the ZAP to the Job's Workspace. So, how can do that if I don't a GUI? I think that is for that reason that I can't see my Load Session in the configuration Job (Picture 1). So, I configure for Persist Session but still doesn't work :( And when I want to generate report html says error 404.

I will post screenshots of my configurations of Jenkins.

Thank you very much!!

Regrads, 

Valeria

P.D: Sorry for my english and the hour of reply I'm from Chile and we have diferent time zone.

[Vale Asencio Uribe]

[lil_men69]

Hello,

fews things you should change,

your zap installed  system directory must be different from zap home directory.

Configure ZAPROXY_HOME as the system environment variable in the Jenkins configuration

Also follow ZAP Jenkins job configuaration

https://wiki.jenkins.io/display/JENKINS/Configure+the+Job

Cheers

L.

[lil_men69]

Also the different from windows to linux is in job configuration. on Run Configurations

on windows we use "%" in linux "$"

[lil_men69]

If you have zap session files saved somewhere

You can copy-paste them in "Jenkins/workspace/Job_Name/session" directory

Error 404 is a Jenkins bug. it doesn't matter ZAP still works

Cheers

L.

[Vale Asencio Uribe]

Hi. thanks for answer me :)

- Can you point me, in the picture that I attached, which one is my zap installed  system directory and my zap home directory? I really confused about that because in the documentation in the link shows a both but in my version of Jenkins only have Zap home directory.

- I use $ in my configurations, like this $ZAPROXY_HOME

- Well I figure that I'll have to copy-paste my session on the server but I connect to server through client ssh and de server is in mode headless, so I'm trying to figure out how to copy-paste it on the server.

Regrads, Vale =)

[phani kumar]

Are you able to run ZAP scanning successfully in no GUI mode? I have an issue where my configuration is unable to listen to the proxy. If you are able to successfully run the ZAP with Jenkins without issues. Please let me know. A document or link will really help me a lot.

[Vale Asencio Uribe]

Yes, I download and installed on Windows. You configure the certificate? I use this https://2buntu.com/articles/1517/adding-ssl-certificates-from-owasp-zap-a-visual-walkthrough/

[Vale Asencio Uribe]

Hi everyone, like I said, I have Jenkins and ZAP installed on server ubuntu, when I build on Jenkins a got what attachment in the picture. 

Can anyone say to me why is this error?

On Jenkins says that there is to modify the .bat file, on linux is the zap.sh file? I tried but I don't know how put Zaproxy_home there.

Thaks so much.

[JordanGS]

I've created a fresh Ubuntu snapshot and installed zap, unable to replicate your error. Are you able to run ZAP (UI) successfully, not the jenkins plugin?

[Vale Asencio Uribe]

I can run Zap on Jenkins finally :) but I have an issue, when I click the option export HTML report, the build failed and says Plugins Missing but when I just generate the HTML report without publishing is all good. Why happens?
I download the plugin export report and put in the carpet of Zap on the ubuntu server.
Zap runs wothout GUI, in Daemon Mode, os that a problem to generate the report?

[lil_men69]

Hi, 

in Daemon mode could you export the report ?

cheers

[Vale Asencio Uribe]

Hi, I can generate the report, the one that saved in the workspace, but when I click in export remot for publish the html report, ZAP says REQUIRED PLUGIN(S) ARE MISSING

[lil_men69]

Hi, 

how did you install export report addon in zap tools.

to know more on cmd line, addons install...

https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

https://github.com/zaproxy/zap-extensions/blob/master/README.md

<zap-script> -daemon -addoninstall exportreport-alpha-4 may help you.

Or If you have download exportreport-alpha-4.zap file, you have to add export report path in zap config.xml file

Cheers

[lil_men69]

When export report addon will be add in zap tools, 

then you could use it in zap plugins

[Vale Asencio Uribe]

I donwloaded the exportreport-alpha-4 and with the program called WinSCP I put in the server on the folder called PLUGIN of Zap.This is the folder or it should be on another folder?

How I should give the path of export report to config.xml? What is the syntax? This is the only that I haven't done.

[lil_men69]

Hi,

is those lines appear in your C:\Users\name \OWASP ZAP\config.xml

<addon>

<id>exportreport</id>

<version>4</version>

</addon>

if not may be try to add them.

But the easiest way to install an addon is by doing

<zap-script> -daemon -addoninstall exportreport

cheers

[lil_men69]

But how you have add the addon on zap is the good way

[Vale Asencio Uribe]

OMG DID WORK!! THANK YOU!

I use your advice ./zap.sh -daemon -addoninstall exportreport and works =)

but, I have another issue, the report has not format =( is because is runing on daemon mode? Is there any add on that can give format to the report? 

I attached how zap exported the report on jenkins.

Thank you for all the help

[JordanGS]

Try a different browser, it's pure css and html so if you go into the source all the formatting is there. It's your browser that's blocking the css due to some setting it has enabled probably. I use Firefox and Edge myself, i know Chrome can have display issues for some users.

[Vale Asencio Uribe]

Yes!! It's works on Internet Explorer!!!! Chrome and Firefox don't show the format. THANK YOU.

I have another question, in the part on Export Report -> Source Details -> Scan Date, is there any environment variable that can give the actual date? I want that en each build that field shows the actual date, no that one that I put It, I don't know if you cath what I'm trying to say lol I hope you do.

Thank You!

[JordanGS]

I understand and no, ZAP does not currently track the scan date and so the plugin has no way of getting it. You're welcome to submit a feature request to the official project and maybe they'll add it into a future release. However for now there is nothing for me to pull. Sorry :(

[Vale Asencio Uribe]

It doesn't matter, it's a little detail. I tried with the TIMESTAMP though but didn't work. 

The important thing is that is working! And this plataform help me a lot because you guys answer very quickly and take the time to understand every single request, so big thank you!!

Greeting from Chile